Block Ultrasurf and Similar Applications with NG Firewall

Applications like Ultrasurf and Betternet, that use tunneling, proxies and other evasion techniques to get around filtering can be difficult to block. In most situations we would recommend blocking these using Windows Group Policy as discussed at the bottom of this page. NG Firewall can block them through the use of Firewall Rules, Application Control, and SSL Inspection.

Firewall Rules

In order to block proxies and other evasion techniques you must add an egress (outbound) firewall rule to block all outbound traffic, allowing only traffic that is required. Blocking all outbound ports blocks the port-hopping activity of these applications.

Go to Firewall > Settings

Click Add to add a rule

Enter a Description, set the Action Type to Block, like in the screenshot below:

Clicking the image above will load it, full-size, in a new window.

Application Control

Application Control detects some versions of Ultrasurf and other evasion applications but also detects traffic on HTTP and HTTPS ports that is not using HTTP/HTTPS protocol.

Go to Application Control > Settings

Under the Applications tab select to Tarpit Ultrasurf and other proxy applications you want blocked.

Under the Rules tab, enable all options as shown below

Clicking the image above will load it, full-size, in a new window.

SSL Inspector

SSL Inspector inspects all HTTPS connections so that evasion applications can not tunnel through NG Firewall using HTTPS.

Go to SSL Inspector > Settings

Under the Configuration tab enable Block Invalid Traffic

Under the Rules tab enable Inspect All Traffic, as shown below

Clicking the image above will load it, full-size, in a new window.

Blocking Evasion Applications with Windows Group Policy

This method of blocking Ultrasurf and similar applications is recommended as it is much more effective and manageable for most network environments. Blocking with Group Policy is accomplished by adding a Software Restriction Rule to block the hash and/or the certificate used by the offending software.

For more information on adding this using Group Policy visit the Microsoft Technet Article: